1 files changed, 48 insertions, 27 deletions
diff --git a/monitor_wrap.c b/monitor_wrap.c
index c94675c6f..b0ced5ac7 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: monitor_wrap.c,v 1.55 2007/02/19 10:45:58 dtucker Exp $ */
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -25,18 +26,31 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: monitor_wrap.c,v 1.40 2005/05/24 17:32:43 avsm Exp $");
+#include <sys/types.h>
+#include <sys/uio.h>
+#include <errno.h>
+#include <pwd.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
 #include <openssl/bn.h>
 #include <openssl/dh.h>
+#include "xmalloc.h"
 #include "ssh.h"
 #include "dh.h"
+#include "buffer.h"
+#include "key.h"
+#include "cipher.h"
 #include "kex.h"
+#include "hostfile.h"
 #include "auth.h"
 #include "auth-options.h"
-#include "buffer.h"
-#include "bufaux.h"
 #include "packet.h"
 #include "mac.h"
 #include "log.h"
@@ -48,20 +62,18 @@ RCSID("$OpenBSD: monitor_wrap.c,v 1.40 2005/05/24 17:32:43 avsm Exp $");
 #include "zlib.h"
 #endif
 #include "monitor.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
 #include "monitor_wrap.h"
-#include "xmalloc.h"
 #include "atomicio.h"
 #include "monitor_fdpass.h"
-#include "getput.h"
+#include "misc.h"
 #include "servconf.h"
-#include "auth.h"
 #include "channels.h"
 #include "session.h"
+#include "servconf.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
 /* Imports */
 extern int compat20;
@@ -91,7 +103,7 @@ mm_request_send(int sock, enum monitor_reqtype type, Buffer *m)
        debug3("%s entering: type %d", __func__, type);
-        PUT_32BIT(buf, mlen + 1);
+        put_u32(buf, mlen + 1);
        buf[4] = (u_char) type;         /* 1st byte of payload is mesg-type */
        if (atomicio(vwrite, sock, buf, sizeof(buf)) != sizeof(buf))
                fatal("%s: write: %s", __func__, strerror(errno));
@@ -112,7 +124,7 @@ mm_request_receive(int sock, Buffer *m)
                        cleanup_exit(255);
                fatal("%s: read: %s", __func__, strerror(errno));
        }
-        msg_len = GET_32BIT(buf);
+        msg_len = get_u32(buf);
        if (msg_len > 256 * 1024)
                fatal("%s: read: bad msg_len %d", __func__, msg_len);
        buffer_clear(m);
@@ -196,7 +208,8 @@ mm_getpwnamallow(const char *username)
 {
        Buffer m;
        struct passwd *pw;
-        u_int pwlen;
+        u_int len;
+        ServerOptions *newopts;
        debug3("%s entering", __func__);
@@ -212,8 +225,8 @@ mm_getpwnamallow(const char *username)
                buffer_free(&m);
                return (NULL);
        }
-        pw = buffer_get_string(&m, &pwlen);
+        pw = buffer_get_string(&m, &len);
-        if (pwlen != sizeof(struct passwd))
+        if (len != sizeof(struct passwd))
                fatal("%s: struct passwd size mismatch", __func__);
        pw->pw_name = buffer_get_string(&m, NULL);
        pw->pw_passwd = buffer_get_string(&m, NULL);
@@ -223,6 +236,16 @@ mm_getpwnamallow(const char *username)
 #endif
        pw->pw_dir = buffer_get_string(&m, NULL);
        pw->pw_shell = buffer_get_string(&m, NULL);
+        /* copy options block as a Match directive may have changed some */
+        newopts = buffer_get_string(&m, &len);
+        if (len != sizeof(*newopts))
+                fatal("%s: option block size mismatch", __func__);
+        if (newopts->banner != NULL)
+                newopts->banner = buffer_get_string(&m, NULL);
+        copy_set_server_options(&options, newopts, 1);
+        xfree(newopts);
        buffer_free(&m);
        return (pw);
@@ -637,7 +660,7 @@ mm_send_keystate(struct monitor *monitor)
 }
 int
-mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen)
+mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen)
 {
        Buffer m;
        char *p, *msg;
@@ -776,8 +799,11 @@ mm_sshpam_query(void *ctx, char **name, char **info,
        *name = buffer_get_string(&m, NULL);
        *info = buffer_get_string(&m, NULL);
        *num = buffer_get_int(&m);
-        *prompts = xmalloc((*num + 1) * sizeof(char *));
+        if (*num > PAM_MAX_NUM_MSG)
-        *echo_on = xmalloc((*num + 1) * sizeof(u_int));
+                fatal("%s: recieved %u PAM messages, expected <= %u",
+                    __func__, *num, PAM_MAX_NUM_MSG);
+        *prompts = xcalloc((*num + 1), sizeof(char *));
+        *echo_on = xcalloc((*num + 1), sizeof(u_int));
        for (i = 0; i < *num; ++i) {
                (*prompts)[i] = buffer_get_string(&m, NULL);
                (*echo_on)[i] = buffer_get_int(&m);
@@ -860,8 +886,8 @@ mm_chall_setup(char **name, char **infotxt, u_int *numprompts,
        *name = xstrdup("");
        *infotxt = xstrdup("");
        *numprompts = 1;
-        *prompts = xmalloc(*numprompts * sizeof(char *));
+        *prompts = xcalloc(*numprompts, sizeof(char *));
-        *echo_on = xmalloc(*numprompts * sizeof(u_int));
+        *echo_on = xcalloc(*numprompts, sizeof(u_int));
        (*echo_on)[0] = 0;
 }
@@ -928,9 +954,8 @@ mm_skey_query(void *ctx, char **name, char **infotxt,
   u_int *numprompts, char ***prompts, u_int **echo_on)
 {
        Buffer m;
-        int len;
        u_int success;
-        char *p, *challenge;
+        char *challenge;
        debug3("%s: entering", __func__);
@@ -954,11 +979,7 @@ mm_skey_query(void *ctx, char **name, char **infotxt,
        mm_chall_setup(name, infotxt, numprompts, prompts, echo_on);
-        len = strlen(challenge) + strlen(SKEY_PROMPT) + 1;
+        xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT);
-        p = xmalloc(len);
-        strlcpy(p, challenge, len);
-        strlcat(p, SKEY_PROMPT, len);
-        (*prompts)[0] = p;
        xfree(challenge);
        return (0);

diff --git a/monitor_wrap.c b/monitor_wrap.c index c94675c6f..b0ced5ac7 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c
@@ -1,3 +1,4 @@
		1	/* $OpenBSD: monitor_wrap.c,v 1.55 2007/02/19 10:45:58 dtucker Exp $ */
1	/*	2	/*
2	* Copyright 2002 Niels Provos <provos@citi.umich.edu>	3	* Copyright 2002 Niels Provos <provos@citi.umich.edu>
3	* Copyright 2002 Markus Friedl <markus@openbsd.org>	4	* Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -25,18 +26,31 @@
25	*/	26	*/
26		27
27	#include "includes.h"	28	#include "includes.h"
28	RCSID("$OpenBSD: monitor_wrap.c,v 1.40 2005/05/24 17:32:43 avsm Exp $");	29
		30	#include <sys/types.h>
		31	#include <sys/uio.h>
		32
		33	#include <errno.h>
		34	#include <pwd.h>
		35	#include <signal.h>
		36	#include <stdarg.h>
		37	#include <stdio.h>
		38	#include <string.h>
		39	#include <unistd.h>
29		40
30	#include <openssl/bn.h>	41	#include <openssl/bn.h>
31	#include <openssl/dh.h>	42	#include <openssl/dh.h>
32		43
		44	#include "xmalloc.h"
33	#include "ssh.h"	45	#include "ssh.h"
34	#include "dh.h"	46	#include "dh.h"
		47	#include "buffer.h"
		48	#include "key.h"
		49	#include "cipher.h"
35	#include "kex.h"	50	#include "kex.h"
		51	#include "hostfile.h"
36	#include "auth.h"	52	#include "auth.h"
37	#include "auth-options.h"	53	#include "auth-options.h"
38	#include "buffer.h"
39	#include "bufaux.h"
40	#include "packet.h"	54	#include "packet.h"
41	#include "mac.h"	55	#include "mac.h"
42	#include "log.h"	56	#include "log.h"
@@ -48,20 +62,18 @@ RCSID("$OpenBSD: monitor_wrap.c,v 1.40 2005/05/24 17:32:43 avsm Exp $");
48	#include "zlib.h"	62	#include "zlib.h"
49	#endif	63	#endif
50	#include "monitor.h"	64	#include "monitor.h"
		65	#ifdef GSSAPI
		66	#include "ssh-gss.h"
		67	#endif
51	#include "monitor_wrap.h"	68	#include "monitor_wrap.h"
52	#include "xmalloc.h"
53	#include "atomicio.h"	69	#include "atomicio.h"
54	#include "monitor_fdpass.h"	70	#include "monitor_fdpass.h"
55	#include "getput.h"	71	#include "misc.h"
56	#include "servconf.h"	72	#include "servconf.h"
57		73
58	#include "auth.h"
59	#include "channels.h"	74	#include "channels.h"
60	#include "session.h"	75	#include "session.h"
61		76	#include "servconf.h"
62	#ifdef GSSAPI
63	#include "ssh-gss.h"
64	#endif
65		77
66	/* Imports */	78	/* Imports */
67	extern int compat20;	79	extern int compat20;
@@ -91,7 +103,7 @@ mm_request_send(int sock, enum monitor_reqtype type, Buffer *m)
91		103
92	debug3("%s entering: type %d", __func__, type);	104	debug3("%s entering: type %d", __func__, type);
93		105
94	PUT_32BIT(buf, mlen + 1);	106	put_u32(buf, mlen + 1);
95	buf[4] = (u_char) type; /* 1st byte of payload is mesg-type */	107	buf[4] = (u_char) type; /* 1st byte of payload is mesg-type */
96	if (atomicio(vwrite, sock, buf, sizeof(buf)) != sizeof(buf))	108	if (atomicio(vwrite, sock, buf, sizeof(buf)) != sizeof(buf))
97	fatal("%s: write: %s", __func__, strerror(errno));	109	fatal("%s: write: %s", __func__, strerror(errno));
@@ -112,7 +124,7 @@ mm_request_receive(int sock, Buffer *m)
112	cleanup_exit(255);	124	cleanup_exit(255);
113	fatal("%s: read: %s", __func__, strerror(errno));	125	fatal("%s: read: %s", __func__, strerror(errno));
114	}	126	}
115	msg_len = GET_32BIT(buf);	127	msg_len = get_u32(buf);
116	if (msg_len > 256 * 1024)	128	if (msg_len > 256 * 1024)
117	fatal("%s: read: bad msg_len %d", __func__, msg_len);	129	fatal("%s: read: bad msg_len %d", __func__, msg_len);
118	buffer_clear(m);	130	buffer_clear(m);
@@ -196,7 +208,8 @@ mm_getpwnamallow(const char *username)
196	{	208	{
197	Buffer m;	209	Buffer m;
198	struct passwd *pw;	210	struct passwd *pw;
199	u_int pwlen;	211	u_int len;
		212	ServerOptions *newopts;
200		213
201	debug3("%s entering", __func__);	214	debug3("%s entering", __func__);
202		215
@@ -212,8 +225,8 @@ mm_getpwnamallow(const char *username)
212	buffer_free(&m);	225	buffer_free(&m);
213	return (NULL);	226	return (NULL);
214	}	227	}
215	pw = buffer_get_string(&m, &pwlen);	228	pw = buffer_get_string(&m, &len);
216	if (pwlen != sizeof(struct passwd))	229	if (len != sizeof(struct passwd))
217	fatal("%s: struct passwd size mismatch", __func__);	230	fatal("%s: struct passwd size mismatch", __func__);
218	pw->pw_name = buffer_get_string(&m, NULL);	231	pw->pw_name = buffer_get_string(&m, NULL);
219	pw->pw_passwd = buffer_get_string(&m, NULL);	232	pw->pw_passwd = buffer_get_string(&m, NULL);
@@ -223,6 +236,16 @@ mm_getpwnamallow(const char *username)
223	#endif	236	#endif
224	pw->pw_dir = buffer_get_string(&m, NULL);	237	pw->pw_dir = buffer_get_string(&m, NULL);
225	pw->pw_shell = buffer_get_string(&m, NULL);	238	pw->pw_shell = buffer_get_string(&m, NULL);
		239
		240	/* copy options block as a Match directive may have changed some */
		241	newopts = buffer_get_string(&m, &len);
		242	if (len != sizeof(*newopts))
		243	fatal("%s: option block size mismatch", __func__);
		244	if (newopts->banner != NULL)
		245	newopts->banner = buffer_get_string(&m, NULL);
		246	copy_set_server_options(&options, newopts, 1);
		247	xfree(newopts);
		248
226	buffer_free(&m);	249	buffer_free(&m);
227		250
228	return (pw);	251	return (pw);
@@ -637,7 +660,7 @@ mm_send_keystate(struct monitor *monitor)
637	}	660	}
638		661
639	int	662	int
640	mm_pty_allocate(int ptyfd, int ttyfd, char *namebuf, int namebuflen)	663	mm_pty_allocate(int ptyfd, int ttyfd, char *namebuf, size_t namebuflen)
641	{	664	{
642	Buffer m;	665	Buffer m;
643	char p, msg;	666	char p, msg;
@@ -776,8 +799,11 @@ mm_sshpam_query(void ctx, char name, char *info,
776	*name = buffer_get_string(&m, NULL);	799	*name = buffer_get_string(&m, NULL);
777	*info = buffer_get_string(&m, NULL);	800	*info = buffer_get_string(&m, NULL);
778	*num = buffer_get_int(&m);	801	*num = buffer_get_int(&m);
779	prompts = xmalloc((num + 1) * sizeof(char *));	802	if (*num > PAM_MAX_NUM_MSG)
780	echo_on = xmalloc((num + 1) * sizeof(u_int));	803	fatal("%s: recieved %u PAM messages, expected <= %u",
		804	__func__, *num, PAM_MAX_NUM_MSG);
		805	prompts = xcalloc((num + 1), sizeof(char *));
		806	echo_on = xcalloc((num + 1), sizeof(u_int));
781	for (i = 0; i < *num; ++i) {	807	for (i = 0; i < *num; ++i) {
782	(*prompts)[i] = buffer_get_string(&m, NULL);	808	(*prompts)[i] = buffer_get_string(&m, NULL);
783	(*echo_on)[i] = buffer_get_int(&m);	809	(*echo_on)[i] = buffer_get_int(&m);
@@ -860,8 +886,8 @@ mm_chall_setup(char name, char infotxt, u_int *numprompts,
860	*name = xstrdup("");	886	*name = xstrdup("");
861	*infotxt = xstrdup("");	887	*infotxt = xstrdup("");
862	*numprompts = 1;	888	*numprompts = 1;
863	prompts = xmalloc(numprompts * sizeof(char *));	889	prompts = xcalloc(numprompts, sizeof(char *));
864	echo_on = xmalloc(numprompts * sizeof(u_int));	890	echo_on = xcalloc(numprompts, sizeof(u_int));
865	(*echo_on)[0] = 0;	891	(*echo_on)[0] = 0;
866	}	892	}
867		893
@@ -928,9 +954,8 @@ mm_skey_query(void ctx, char name, char *infotxt,
928	u_int numprompts, char prompts, u_int echo_on)	954	u_int numprompts, char prompts, u_int echo_on)
929	{	955	{
930	Buffer m;	956	Buffer m;
931	int len;
932	u_int success;	957	u_int success;
933	char p, challenge;	958	char *challenge;
934		959
935	debug3("%s: entering", __func__);	960	debug3("%s: entering", __func__);
936		961
@@ -954,11 +979,7 @@ mm_skey_query(void ctx, char name, char *infotxt,
954		979
955	mm_chall_setup(name, infotxt, numprompts, prompts, echo_on);	980	mm_chall_setup(name, infotxt, numprompts, prompts, echo_on);
956		981
957	len = strlen(challenge) + strlen(SKEY_PROMPT) + 1;	982	xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT);
958	p = xmalloc(len);
959	strlcpy(p, challenge, len);
960	strlcat(p, SKEY_PROMPT, len);
961	(*prompts)[0] = p;
962	xfree(challenge);	983	xfree(challenge);
963		984
964	return (0);	985	return (0);